Slightly old but these articles may help with some ideas: https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/blog-series-limitless-advanced-hunting-with-azure-data-explorer/ba-p/2328705
https://jeffreyappel.nl/export-microsoft-defender-for-endpoint-security-events-with-the-streaming-api/
Obviously the data is already in a custom Log Analytics workspace (but you can only access it from the portal which maybe an issue?).
You could also use Microsoft Sentinel as that has a native connector (called:"Microsoft Defender XDR" connector) to move data to another Workspace (even if you dont use Sentinel afterwards). https://learn.microsoft.com/en-us/defender-xdr/microsoft-sentinel-onboard